topic Re: CCV Filter settings and CIM in Integration and Testing

CCV Filter settings and CIM

moklett — Wed, 10 Feb 2010 15:01:41 GMT

When using CIM, there are several opportunities to provide the "card code" (or CVV, or CCV) value when making a request. Most notably, you can send the card code when:

You're creating and storing a payment profile
You're creating a transaction (i.e. auth and caputure) against a stored payment profile

BUT, there is only one set of settings for the CCV Filter.

What if you want to validate the CCV when storing the payment profile, but not every time you run a transaction against the stored payment profile? Is this use case supported?

As a merchant, I have the CCV when the payment profile is first created, but not later when I want to run transactions against it. From the docs it would seem that, in order to enable and use the CCV Filter, a merchant would need to also submit the card code with every transaction request.

Re: CCV Filter settings and CIM

stymiee — Wed, 10 Feb 2010 17:09:13 GMT

@moklett wrote:
What if you want to validate the CCV when storing the payment profile, but not every time you run a transaction against the stored payment profile? Is this use case supported?

Yes. Naturally you are not expected to have the CVV code for future payments against a payment profile. That would mean you would either have to store it (against PCI guidelines) or ask the customer for it every time you make a payment (not realistic or practical). That's why recurring payments work since the CVV is obviously not submitted for each subscription payment. I suspect it works like recurring billing payments where once an initial payment has been made using the CVV code subsequent payments no longer require it.

Re: CCV Filter settings and CIM

soundcommerce — Wed, 10 Feb 2010 19:07:42 GMT

@moklett wrote:
When using CIM, there are several opportunities to provide the "card code" (or CVV, or CCV) value when making a request. Most notably, you can send the card code when:

You're creating and storing a payment profile
You're creating a transaction (i.e. auth and caputure) against a stored payment profile
BUT, there is only one set of settings for the CCV Filter.
What if you want to validate the CCV when storing the payment profile, but not every time you run a transaction against the stored payment profile? Is this use case supported?
As a merchant, I have the CCV when the payment profile is first created, but not later when I want to run transactions against it. From the docs it would seem that, in order to enable and use the CCV Filter, a merchant would need to also submit the card code with every transaction request.

If I may ask, (just to play a little devils advocate) why would you need to submit the ccv again if it was successfully validated (or not) for the initial transaction?

Can we just assume that when charging the payment profile using "createCustomerProfileTransaction" the CCV passed in the prior transaction was indeed valid? (if a positive response was received for ccv)

My reason for exploring this topic is a matter of why? and not how?.

Rebuttals are welcomed :)

Thank You!

Re: CCV Filter settings and CIM

moklett — Wed, 10 Feb 2010 19:27:16 GMT

@stymiee, thanks for the response. I would suspect (and really do hope for) the same thing, but there is no indication in any documentation that this would be the case. In fact, the CIM documentation for createCustomerProfileTransactionRequest says that, for cardCode:

This field is required if the merchant would like to use the CCV security feature.

Can you confirm that the docs are wrong? And that if the CVV is validated when the profile is created, the CCV Filter will not prevent later transactions that are not sent with the CVV?

@soundcommerce: I'm with you on this. What you say is what it seems _should_ happen, but its just not what the docs are saying.

Re: CCV Filter settings and CIM

soundcommerce — Wed, 10 Feb 2010 19:33:28 GMT

The CIM integration guide requires this field if the merchants plans to use CCV filter on subsequent transactions.

Required only when the merchant would like to use the Card Code Verification (CCV) filter.

Why would you need to verify/validate the CCV code again after creating the payment profile?

That's my only question.

Thanks!

Re: CCV Filter settings and CIM

stymiee — Wed, 10 Feb 2010 21:50:39 GMT

@moklett wrote:
Can you confirm that the docs are wrong? And that if the CVV is validated when the profile is created, the CCV Filter will not prevent later transactions that are not sent with the CVV?

The CVV is only validated when a transaction is actually performed. If you use the AIM API to process a payment before using the CIM API to process a payment (this may or may not occur depending on your businessmodel) you can verify the CVV at that point intime. If no transaction will occur before before using the CIM API to process a transaction may wish to perform an AUTH_ONLY on the credit card to verify the CVV (and AVS while you're at it).

A scenario where you would use the AIM API before establishing a CIM profile or processing a payment via CIM is for a variable rate subscription. If the first payment for the subscription is made immediately upon registration you would use the AIM API to process it and then you would know the results of the CVV check. If it meets the criteria you have set forth then you can create the CIM profile and process all future payments using CIM. If not, you can let the user know they need to correct their information or try a new card.

Re: CCV Filter settings and CIM

moklett — Wed, 10 Feb 2010 23:17:00 GMT

I assumed that a blank cardCode would trigger an N, P, and/or S Card Code Response. In other words, I thought enabling any of the CCV Filter checks then required a cardCode to be sent.

It seems like what you guys are saying is "if you don't want to use the CCV Filter, then don't send the cardCode", so my assumption must have been wrong.

Re: CCV Filter settings and CIM

soundcommerce — Wed, 10 Feb 2010 23:24:44 GMT

@moklett wrote:
I assumed that a blank cardCode would trigger an N, P, and/or S Card Code Response. In other words, I thought enabling any of the CCV Filter checks then required a cardCode to be sent.

It seems like what you guys are saying is "if you don't want to use the CCV Filter, then don't send the cardCode", so my assumption must have been wrong.

Hello Moklett,

That would be the correct assumption; but once again, I would like to challenge the reason of why would you need to send the ccv2 again to charge a payment profile that passed card code validation initially?

Collectively as a whole, we understand the features and limitations of the CIM API as it relates to card codes.

We must now dig deeper within self to explore the reason of why? You will find that there is no need to resend the card code after initial validation.

Thank You!

Re: CCV Filter settings and CIM

moklett — Fri, 12 Feb 2010 00:09:19 GMT

soundcommerce, are you asking a rhetorical question, or are you not understanding me?

I do not WANT to send the card code after it has first been validated. I do not. I cannot.

My reading of the documentation lead me to believe that it is not possible to enable CCV Filter in a way that would allow me to validate the CCV when the payment profile was first stored, but not trigger mismatches if I did not send the cardCode with later CIM transactions.

I am not saying I want to send the card code every time. There is no "why?" that you keep referring to.

Re: CCV Filter settings and CIM

soundcommerce — Fri, 12 Feb 2010 00:30:18 GMT

Is it currently giving you a mismatch for a previously stored payment profile when performing "createCustomerProfileTransaction"?

Re: CCV Filter settings and CIM

moklett — Fri, 12 Feb 2010 14:18:20 GMT

Not so far, but I haven't experimented much with the CCV Filter because I was afraid of rejecting those transactions (based on the documentation). I have a live environment that I can run some tests in - I'll post the results. Thanks.

Re: CCV Filter settings and CIM

soundcommerce — Fri, 12 Feb 2010 16:05:59 GMT

Would love to see the results!

Thank You!

Re: CCV Filter settings and CIM

wbr — Mon, 01 Mar 2010 20:46:49 GMT

I am also struggling with this issue. We upload CVV values to the CIM gateway only when creating a payment profile. After that, our customers will use their CIM profile to process any further transactions. We cannot ask our customers to re-input CVV values.

So am I correct that even when our Authnet account is set to reject bad/nonexistent CVV vales, we can create a CIM transaction without the CVV values... And as long as we have a valid payment profile, Authnet will accept the transaction request?

Or are we stuck requiring CVV values for ALL transactions, if our Authnet account is set to require them?

Thanks

Re: CCV Filter settings and CIM

stymiee — Mon, 01 Mar 2010 21:09:55 GMT

Once you have a valid payment profile you do not need to ask the customer for any more information. You can use the existing payment profile as is. If that weren't the case then CIM would be almost useless.

Re: CCV Filter settings and CIM

hotslots132 — Fri, 05 Mar 2010 02:05:51 GMT

Indeed - the whole point of CIM is to store all the information needed for future transactions. Not only is the CVV not required when submitting a transaction using a payment profile, there is no way to provide it if you wanted to.

If you somehow want to verify that the customer is the same customer who first entered the data, then you could update the payment profile with the CVV added and see if it still validates.

Re: CCV Filter settings and CIM (THE FACTS)

soundcommerce — Sun, 07 Mar 2010 22:46:17 GMT

@hotslots132 wrote:
Indeed - the whole point of CIM is to store all the information needed for future transactions. Not only is the CVV not required when submitting a transaction using a payment profile, there is no way to provide it if you wanted to.

If you somehow want to verify that the customer is the same customer who first entered the data, then you could update the payment profile with the CVV added and see if it still validates.

Greetings,

I agree with "hotslots132" on the purpose of CIM, however there is one flaw with the last statement. The ccv2 (card code) can be provided when charging the customer's credit card through the "createCustomerProfileTransaction" request.

Please see the facts below:

Question:
Is the CCV2 (card code) required when submitting "createCustomerProfileTransaction" types?

Answer:
Required only when the merchant would like to use the Card Code Verification (CCV) filter.

Reference:
Please see page 24 of 110 of the CIM XML GUIDE

Re: CCV Filter settings and CIM (THE FACTS)

hotslots132 — Sun, 07 Mar 2010 22:49:32 GMT

You are absolutely correct - I had missed that the "card code" is an optional input to that.

Re: CCV Filter settings and CIM (THE FACTS)

soundcommerce — Sun, 07 Mar 2010 23:23:30 GMT

Not a problem Steve,

It's definitely not a matter of right or wrong, just pointing out the facts. I hope you will do the same for me one day :)

Thank You!

@hotslots132 wrote:
You are absolutely correct - I had missed that the "card code" is an optional input to that.

Re: CCV Filter settings and CIM

jimmyhuang — Mon, 01 Oct 2012 09:39:56 GMT

Hi, John,

I am using a CIM hosted form, and I want to make sure customer validate their CCV before storing credit card to CIM backend.

To do this, I use “settings” -> “payment form” -> “form fields”, and “required” for “Card Code”. I also select “settings” -> “card code verification”, and set “Allow” for N,P,S,U (just to see if CCV can pass).

Now my hosted form will check CCV and validate, but when I use “createCustomerProfileTransactionRequest”, it ask also for Card Code.

But I already validated using the hosted form, and I do not want to verify again. I mean, I do not want my customer to type in CCV every time he wants to purchase, but I want to validate the card the first time when using the hosted form.

I checked the thread, but cannot find an answer to this case.

How can I do this?